According to experts, it’s not uncommon for forensic investigations to expose a greater number of victims than initial estimates.

“This often happens with breaches, on a much smaller scale,” said Wesley McGrew, a security expert at Horne Cyber. “Initially, the investigation establishes a set of compromised systems and data that encompasses a set of users, then later something is discovered that expands the compromised systems [or] access.”

Yahoo gets the top two spots on any list of security breaches.

In September 2016, Yahoo said that data associated with at least 500 million accounts had been stolen. Three months later, it disclosed a second breach — the one that’s now been revealed to have affected all three billion customer accounts that existed at the time.

The Yahoo breaches exposed usernames and passwords and let miscreants take over Yahoo accounts (and any other accounts that used the same credentials). The Equifax breach exposed names, address, dates of birth and Social Security numbers of 145 million U.S. residents. Those are the keys to a person’s entire identity, and anyone holding them could do nearly anything in someone else’s name.

The company that was Yahoo still exists as an independent entity. It is now called Altaba and is mainly a holding company for the shares in Yahoo Japan and the Chinese internet company Alibaba, both of which greatly appreciated in value after Yahoo acquired them many years ago.

Yahoo was one of the first web-only companies, and pioneered many things that we now take for granted, but these gargantuan data breaches will, deservedly or not, be its lasting legacy.